Hello,
I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 installed from Buchan Milne's repository (openldap2.4- servers-2.4.20-1.el5).
The first server is a Sync Provider. The second is a consumer with 'starttls=critical'.
I have no problem after 'yum update' of the master (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
But after 'yum update' of the slave, syncrepl won't work anymore because of TLS failures.
Here are the logs on the master : Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid= err=0 text= Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS negotiation failure)
Here are the logs on the slave : Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11 retrying (4 retries left)
ldapsearch from the slave can do TLS : $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged by CentOS
Any ideas on how to troubleshoot the problem?
Regards, Thierry
PS : as a side note both servers are Xen VMs running on CentOS hosts.
Are you using self-signed certificates? Could it be that the update overwrote your CA certificate file, or overwrote the path to your CA file(s) with one that doesn't contain your own CA's certificate in some config file?
Thierry Lacoste wrote:
Hello,
I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 installed from Buchan Milne's repository (openldap2.4-servers-2.4.20-1.el5).
The first server is a Sync Provider. The second is a consumer with 'starttls=critical'.
I have no problem after 'yum update' of the master (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
But after 'yum update' of the slave, syncrepl won't work anymore because of TLS failures.
Here are the logs on the master : Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/openldap-2.4.22/servers/slapd
Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid= err=0 text= Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS negotiation failure)
Here are the logs on the slave : Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/openldap-2.4.22/servers/slapd
Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11 retrying (4 retries left)
ldapsearch from the slave can do TLS : $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged by CentOS
Any ideas on how to troubleshoot the problem?
Regards, Thierry
PS : as a side note both servers are Xen VMs running on CentOS hosts.
On Wednesday, 20 October 2010 16:13:44 Thierry Lacoste wrote:
Hello,
I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 installed from Buchan Milne's repository (openldap2.4- servers-2.4.20-1.el5).
The first server is a Sync Provider. The second is a consumer with 'starttls=critical'.
I have no problem after 'yum update' of the master (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
But after 'yum update' of the slave, syncrepl won't work anymore because of TLS failures.
Here are the logs on the master : Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid= err=0 text= Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS negotiation failure)
Here are the logs on the slave : Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11 retrying (4 retries left)
ldapsearch from the slave can do TLS : $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged by CentOS
Any ideas on how to troubleshoot the problem?
Note that the syncrepl statement now has its own tls configuration, see the options tls_cert, tls_key, tls_cacert, tls_cacertdir, tls_reqcert, tls_ciphersuite, tls_crlcheck to the syncrepl statement.
Regards, Buchan
On 20 oct. 10, at 18:04, Buchan Milne wrote:
On Wednesday, 20 October 2010 16:13:44 Thierry Lacoste wrote:
Hello,
I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 installed from Buchan Milne's repository (openldap2.4- servers-2.4.20-1.el5).
The first server is a Sync Provider. The second is a consumer with 'starttls=critical'.
I have no problem after 'yum update' of the master (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
But after 'yum update' of the slave, syncrepl won't work anymore because of TLS failures.
Here are the logs on the master : Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid= err=0 text= Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS negotiation failure)
Here are the logs on the slave : Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11 retrying (4 retries left)
ldapsearch from the slave can do TLS : $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged by CentOS
Any ideas on how to troubleshoot the problem?
Note that the syncrepl statement now has its own tls configuration, see the options tls_cert, tls_key, tls_cacert, tls_cacertdir, tls_reqcert, tls_ciphersuite, tls_crlcheck to the syncrepl statement.
Regards, Buchan
Thanks a lot. That solved it. I didn't find anything about that in the Release Changes.
Regards, Thierry
openldap-technical@openldap.org
-
Buchan Milne -
Prentice Bisbal -
Thierry Lacoste